Pidgin < 2.10.8 Multiple Vulnerabilities
Critical Nessus Plugin ID 72282
SynopsisAn instant messaging client installed on the remote Windows host is affected by multiple vulnerabilities.
DescriptionThe version of Pidgin installed on the remote host is a version prior to 2.10.8. It is, therefore, potentially affected by the following vulnerabilities :
- The bundled version of Pango has an error that can lead to an application crash when rendering fonts and attempting to display certain Unicode characters.
- Errors exist related to handling unspecified characters, incorrect character encoding, incorrect XMPP timestamps, hovering a pointer over a long URL, unspecified HTTP responses, Yahoo! P2P messages, STUN responses, and IRC arguments that could cause application crashes and denial of service conditions.
(CVE-2012-6152, CVE-2013-6477, CVE-2013-6478, CVE-2013-6479, CVE-2013-6481, CVE-2013-6484, CVE-2014-0020)
- Errors exist related to handling MSN SOAP, MSN OIM, and MSN header content that could cause application crashes when NULL pointers are dereferenced.
- An error exists related XMPP content such that the 'from' portion of some 'iq' replies is not verified.
- Errors exist related to parsing chunked and Gadu-Gadu HTTP content, MXit emoticons, and SIMPLE headers that could allow buffer overflows.
(CVE-2013-6485, CVE-2013-6487, CVE-2013-6489, CVE-2013-6490)
- The application does not protect against links to untrusted executable content. (CVE-2013-6486)
SolutionUpgrade to Pidgin 2.10.8 or later.